eBay counts the cost after 'challenging' data breach

John Donahoe, the chief executive officer of eBay, has confirmed that May's data breach has had a negative impact on revenues and user activity.

eBay counts the cost after 'challenging' data breach
eBay counts the cost after 'challenging' data breach

Donahoe was speaking during the firm's second-quarter (Q2) earnings call on Wednesday night, where he admitted that the company-wide password reset – enforced following a hack that affected all 145 million users – had an impact on commerce volume.

“The focus is now on recovery,” said Donahoe, who cited the cyber-attack and departure of PayPal president Dave Marcus as “body blows” in a “challenging” quarter.

The San Diego firm's financial results were still – by and large – better than expected. The company reported Q2 revenues of US$ 4.37 billion (£2.55 billion) – up 13 percent from the year before and in line with analyst expectations - while earnings rose 6 percent to US$ 676 million (£395 million).  

But the company did see a decline in user activity, which in turn had a knock-on effect on the balance sheet.

Donahoe said that 85 percent of buyer accounts had reset their passwords, but said too that some had yet to return to their previous activity levels, prior to the data breach.

This decline in activity saw quarterly net revenue generated from marketplace activities increase by nine percent year-on-year (YoY) to US$ 2.17 billion (£1.27 billion), a rise which was overshadowed by PayPal's net sales increasing 20 percent YoY to US $1.95 billion (£1.14 billion).

The data breach in May saw hackers compromise a database containing user passwords – allegedly after stealing an employee's access credentials. The company said at the time: “There is no evidence that any financial information was accessed or compromised; however we are taking every precaution to protect our customers.”

Despite this, the company was widely-criticised for the way it responded to the breach. Several information security experts were bewildered at the lack of email communications informing users on the security incident, while others said that the password renewal process was poorly implemented.

A Clearswift study – carried out by YouGov – revealed that only a third of eBay account holders had changed their password one week after eBay went public with the incident, while 49 percent of adults online said that they would be less inclined to use the service going forward.

Shortly after the attack, the company lowered its annual sales target byUS $ 200 million (£117 million) and is now expecting yearly revenues to fall somewhere between US$ 18 billion (£10.53 billion) and US$ 18.3 billion (£10.70 billion).

On learning these results, veteran independent security consultant Graham Cluley told SCMagazineUK.com that he suspected that most of the damage would be reputational.

“It's disappointing to see that 15 percent of people still haven't bothered to change their eBay passwords,” said Cluley by email.

“I suspect part of the damage done to eBay was not so much caused by the hack itself, but by the amateurish and slipshod way that the company handled its response and communication with users afterwards.”

Quizzed further by SC on whether the breach would force eBay to take security more seriously in future, Cluley said: “I'm sure they're much more focused already on security. It's definitely got the attention of eBay's board.”

David Lacey, futurologist and security researcher with IOActive – a provider of specialist information security services, added that the results were not overly surprising, but slammed the way eBay dealt with the breach at the time.

“Large scale breaches always result in financial losses because of the cost to respond and repair the damage,” said Lacey.

“Lost future sales is a more variable impact, as it depends on factors such as brand value, competition, and customer confidence. 

"The way the company handles the crisis is key. TJ Maxx lured customers back with special offers. RSA reassured customers they had fixed the problem and were now stronger. Advising customers to change passwords is not enough. You need a more imaginative response.”